SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for SQL metacharacters (which can include, for example, string literal delimiter characters and other characters that may be dangerous in various circumstances) embedded in SQL statements used to access a database or when user input is not strongly typed and thereby unexpectedly executed. SQL injection attacks, or SQL insertion attacks, can allow unauthorized retrieval and modification of data in a database, providing attackers with access to sensitive and otherwise secure data through manipulation of SQL statements. In a worst case scenario, SQL injection may even allow the attacker to take full control of the database server.
SQL is a database computer language designed for managing data in relational database management systems (RDBMS), and provides commands and instructions including data insert, query, update and delete, schema creation and modification, and data access control. Many web-based applications and web services process user input, or web requests, to generate a database query in SQL (or in a SQL statement or SQL code) for accessing a database according to the web service's operations and the user input. SQL injection attacks can use malicious user input to cause the web service to generate SQL statements for accessing the associated database that far exceed the scope of the web service and database creator's intentions, including the provision of data to which the user may not normally be granted access.
A web application requiring user authentication provides an example of SQL injection. Upon accessing the web application, a visitor or user can encounter a login page requesting a user name and a password. A typical web application may query a database to determine if the user name and password pair is valid, authenticating the visitor as the identified user if validated or denying the login attempt otherwise. A common practice in performing such a database query is to construct, during the web application's processing, a string representing the database query using string concatenation or string formatting facilities to combine a predefined SQL code with the input received from the visitor, the result of which is a single string, or query string. Generally, the database can only differentiate SQL code from data (or user input) to the extent that the data is properly delimited during the database query's construction. Some web applications may not check the visitor's input for characters having special meaning in SQL statements and database processing. As a result, a malicious visitor could use one of the special characters to transcend the boundary between the SQL code and the data intended by the web application, thus altering the logic of the query by injecting the malicious user's own SQL code into the generated or constructed query string.
An example of the above event may use the following pseudocode representing the programming in the web application which constructs the underlying SQL database query. Generally, the SQL injection vulnerability may be considered to exist in the web application programming, in that the web application code generally constructs the SQL database query without performing a check as to whether the generated query is malicious. The following is an example of web application or web service logic that may be used to insecurely construct a database query:
query = ”SELECT * FROM accountsTable WHEREusernameColumn = ’” + username + ”’ ANDpasswordColumn = ’” + password + ”’; ”
where “+” is a string concatenation operator. The terms username and password each represent a string variable containing the eponymous piece of user input. If the supplied username is “Mitch”, and the supplied password is “Wildcats”, the resulting database query string would be as follows:
SELECT * FROM accountsTable WHEREusernameColumn = ’Mitch’ AND passwordColumn =’Wildcats’;
In the query, the single-quote character “′” is used to delimit string data. If the web application does not properly reject or sanitize input containing single-quotes, for example, a malicious visitor can inject SQL code as described above. For instance, if the username is entered as “Mitch′;--” and the password is entered as “AnythingGoesHere”, the following query string is generated as a result:
SELECT * FROM accountsTable WHEREusernameColumn = ’Mitch′;--’ AND passwordColumn =’AnythingGoesHere’;
The “′” character in the input associated with the value username artificially and prematurely ends the first portion of the query recognized as string data within the SQL code. The “;” character denotes an artificial end to the query string, and the “--” sequence renders the remainder of the query string as a comment in the SQL code, causing the information after the “--” sequence to be ignored by the database. The resulting query string processed by the database therefore only checks the username, but not the password, and can enable the malicious visitor to login as any user without knowing the correct password. Such malicious input, crafted to manipulate the meaning of a database query generated by the web application, constitutes one example of a SQL injection attack or SQL injection exploit. In alternative instances, SQL injection attacks can be used to access and return data and information stored in the database. For example, a SQL injection exploit can be used to return all data within a database in instances where the query is associated with the retrieval and display of data, and where the database and/or web application exists without appropriate protections.